Target faces lawsuits, state probes after customer data breach

Tiffany Hsu

Instead of basking in holiday cheer, Target Corp. is spending the crucial shopping days before Christmas dealing with probes from several state attorneys general, infuriated social media comments and customer lawsuits over a massive data breach.

In a rough year for retail, when consumers are already hesitant to splurge, the fiasco is fast becoming a nightmare.

"There's never a good time for this to happen," said Charles O'Shea, an analyst with Moody's Investors Service. "But if there's a worse time than during the holidays, I'd like to know what it is."

Target — one of the country's largest retailers — is facing accusations that it waited too long in disclosing that its system had been hacked, exposing some 40 million of its customers' credit and debit card accounts. The Minneapolis company waited until Thursday to confirm that a break-in occurred between Nov. 27 and Dec. 15.

The information was then downplayed on the retailer's website, tucked out of view at the very top of the page.

Now, potential victims have said they've been having problems reaching Target's customer service department through its website and call centers. Angry and afraid of identity theft and that scammers might siphon their money dry, they took to social media in droves to vent.

Bekah Sims Andrews complained on Facebook of waiting for 48 minutes on hold hoping to reach a Target associate before being suddenly booted off the call and hearing a busy signal.

Target apologized with a form response, saying the delays were caused by "significantly higher volume than normal" to call centers. The retailer said it was "adding team member support and system capacity as quickly as possible," working to "build capacity hour by hour."

Georgia Slifco Parsons wrote that she had to change her checking account number because it was tied to her Target debit card. As a result, she will have to buy new checks and change the account number for every bill she pays online, she said.

"Thanks Target for this mess right at Christmas," Parsons wrote, vowing to stop shopping at the chain.

Social media bitterness isn't Target's only concern.

At least two lawsuits seeking class-action status have been filed against the retailer, and more are expected.

A California customer filed one such suit in federal court in San Francisco, alleging invasion of privacy and negligence. Jennifer Kirk said in her complaint that she is a regular Target customer and used her debit card while buying Christmas items for her family.

Kirk alleged that Target "failed to implement and maintain reasonable security procedures and practices appropriate to the nature and scope of the information compromised in the data breach." In the complaint, she also accused Target of "conveying a false sense of security to affected customers" by suggesting that the problem had been resolved.

The lawsuit lists worries that have been voiced by many Target regulars: that identity thieves could use the stolen data to take out loans, incur charges, file fake tax returns or commit immigration fraud. Kirk complained that she and any other plaintiffs "now face years of constant surveillance of their financial and personal records, monitoring and loss of rights."

And a suit filed by Orange County resident Colleen Klein accused Target of "misrepresentations, concealments and non-disclosure of its poor, substandard security practices." She believes "that a portion of the money she paid for retail products at Target was to provide for adequate security to protect her personal information and the security of the credit card she used," according to the complaint.

Separately, four state attorneys general have their eyes on Target.

In Connecticut, Atty. Gen. George Jepsen sent a letter to the retailer requesting more information on the breach. South Dakota Atty. Gen. Marty Jackley warned shoppers to stay vigilant for unauthorized charges.

New York Atty. Gen. Eric Schneiderman said he sent a letter to Target's investor relations bureau expressing concern that "there are already reported incidents of identity theft affecting New York consumers." He later said he would "continue to use every power at my disposal to determine the extent of this breach."

Similarly, Massachusetts Atty. Gen. Martha Coakley said her office reached out to the retailer to review the circumstances of the breach and how Target plans to address it. She said she will work with her peers nationwide "to determine whether Target had proper safeguards in place to protect consumer information."

Target said Friday that it has begun contacting customers whose email addresses it has on file and who shopped in a U.S. store with a credit or debit card during the affected time. The company expects to finish sending the emails by the end of the weekend and emphasized that the communiques are "absolutely not an indication that there has been, or will be, fraud" on customers' cards.

So far, Target said it has heard of very few reports of actual fraud. The retailer said that PINs don't appear to have been affected, which means criminals shouldn't be able to withdraw cash from an ATM with fraudulently obtained debit card data.

Also spared, according to Target: shoppers' dates of birth and Social Security numbers.

Target said it alerted Visa, MasterCard, Discover and American Express to card numbers that might have been affected. The card networks are forwarding the numbers to financial institutions to provide an extra layer of fraud monitoring, Target said.

"We want to reassure guests that they will not be held financially responsible for any credit card or debit card fraud," the company said in a statement.

Target Chief Executive Gregg Steinhafel issued a statement Friday afternoon about the fiasco in which he said that affected customers will have access to free credit monitoring services to provide them "with extra assurance."

He also promised shoppers a 10% discount in U.S. stores Saturday and Sunday.

"We recognize this has been confusing and disruptive during an already busy holiday season," he said.